<!doctype html>
<html lang="en">

<head>
  <!-- Required meta tags -->
  <meta charset="utf-8">
  <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">

  <!-- CSS -->
  <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.1.3/css/bootstrap.min.css" integrity="sha384-MCw98/SFnGE8fJT3GXwEOngsV7Zt27NXFoaoApmYm81iuXoPkFOJwJ8ERdknLPMO" crossorigin="anonymous">
  <link rel="stylesheet" href="https://pro.fontawesome.com/releases/v5.15.1/css/all.css" integrity="sha384-9ZfPnbegQSumzaE7mks2IYgHoayLtuto3AS6ieArECeaR8nCfliJVuLh/GaQ1gyM" crossorigin="anonymous">
  <link rel="stylesheet" href="roboto/css/roboto.css">
  <link rel="stylesheet" href="styles.css">
  <script src="main.js"></script>

  <!-- Favicon -->
  <link rel="icon" type="image/png" sizes="192x192" href="/assets/android-icon-192x192.png">
  <link rel="icon" type="image/png" sizes="32x32" href="/assets/favicon-32x32.png">
  <link rel="icon" type="image/png" sizes="96x96" href="/assets/favicon-96x96.png">
  <link rel="icon" type="image/png" sizes="16x16" href="/assets/favicon-16x16.png">

  <title>systeminformation</title>

</head>

<body>
  <nav class="nav">
    <div class="container">
      <a href="."><img class="logo float-left" src="assets/logo.png" alt="logo">
        <div class="title float-left">systeminformation</div>
      </a>
      <div class="text float-right github"><a href="https://github.com/sebhildebrandt/systeminformation">View on Github <i class="fab fa-github"></i></a></div>
      <div class="text float-right todocs"><a href="./#docs">Docs Overview</a></div>
    </div>
  </nav>

  <div class="container-fluid">
    <section class="container">
      <div class="row">
        <div class="col-12 col-md-4 col-lg-3 col-xl-2 menu" id="menu">
        </div>
        <div class="col-12 col-md-8 col-lg-9 col-xl-10 content">
          <div class="row">
            <div class="col-12 sectionheader">
              <div class="title">Security Advisories</div>
              <div class="text">
                <h2>SSID Command Injection Vulnerability</h2>
                <p><span class="bold">Affected versions:</span>
                  &lt; 5.23.7<br>
                  <span class="bold">Date:</span> 2024-11-11<br>
                  <span class="bold">CVE indentifier</span> CVE-2024-56334
                </p>

                <h4>Impact</h4>
                <p>We had an issue that there was a possibility to perform a potential command injection possibility by crafting detected SSIDs in <span class="code">networkInterfaces()</span> on windows machines.</p>

                <h4>Patch</h4>
                <p>Problem was fixed with parameter checking. If you are using version 5, please upgrade to version >= 5.23.7.</p>
                <hr>
                <br>

                <h2>Passing User Paramters to Systeminformation</h2>
                <p>For most of the applications that are using <span class="code">systeminformation</span>, there is no reason to worry. <span class="bold">But be aware!</span> If you are using <span class="code">inetLatency()</span>, <span class="code">inetChecksite()</span>, <span class="code">services()</span>, <span class="code">processLoad()</span>, <span class="code">versions()</span> with arbitrary untrusted user input, you should pay extra attention! We are doing a lot of input sanitation for those functions inside this package but we cannot handle all cases!</p>
                <p class="warning">This can lead to serious impact on your servers!</p>
                <p>We highly recommend to always upgrade to the latest version of our package. We maintain security updates for version 5 AND also version 4. For version 4 you can install latest version by placing <span class="code">"systeminformation": "^4"</span> in your package.json (dependencies) and run <span class="code">npm install</span></p>
                <hr>
                <br>

                <h2>SSID Command Injection Vulnerability</h2>
                <p><span class="bold">Affected versions:</span>
                  &lt; 5.21.07 (version 4 is not affected)<br>
                  <span class="bold">Date:</span> 2023-09-19<br>
                  <span class="bold">CVE indentifier</span> CVE-2023-42810
                </p>

                <h4>Impact</h4>
                <p>We had an issue that there was a possibility to perform a potential command injection possibility by crafting detected SSIDs in <span class="code">wifiConnections()</span>, <span class="code">wifiNetworks()</span>.</p>

                <h4>Patch</h4>
                <p>Problem was fixed with parameter checking. If you are using version 5, please upgrade to version >= 5.7.21 (version 4 is not affected).</p>

                <h4>Workaround</h4>
                <p>If you cannot upgrade, be sure to check or sanitize parameter strings that are passed to <span class="code">wifiConnections()</span>, <span class="code">wifiNetworks()</span> (string only)</p>
                <hr>
                <br>

                <h2>Command Injection Vulnerability</h2>
                <p><span class="bold">Affected versions:</span>
                  &lt; 5.6.13 and &lt; 4.34.21<br>
                  <span class="bold">Date:</span> 2021-05-04<br>
                  <span class="bold">CVE indentifier</span> -
                </p>

                <h4>Impact</h4>
                <p>We had an issue that there was a possibility to perform a potential command injection possibility by passing a non string values as a parameter to the <span class="code">dockerImagesInspect()</span>, <span class="code">dockerContainerInspect()</span>, <span class="code">dockerContainerProcesses()</span>.</p>

                <h4>Patch</h4>
                <p>Problem was fixed with parameter checking. Please upgrade to version >= 5.6.13 (or >= 4.34.21 if you are using version 4).</p>

                <h4>Workaround</h4>
                <p>If you cannot upgrade, be sure to check or sanitize parameter strings that are passed to <span class="code">dockerImagesInspect()</span>, <span class="code">dockerContainerInspect()</span>, <span class="code">dockerContainerProcesses()</span> (string only)</p>
                <hr>
                <br>
                <h2>Command Injection Vulnerability</h2>
                <p><span class="bold">Affected versions:</span>
                  &lt; 5.6.11 and &lt; 4.34.20<br>
                  <span class="bold">Date:</span> 2021-04-08<br>
                  <span class="bold">CVE indentifier</span> -
                </p>

                <h4>Impact</h4>
                <p>We had an issue that there was a possibility to perform a potential command injection possibility by passing a non string values as a parameter to the <span class="code">versions()</span>.</p>

                <h4>Patch</h4>
                <p>Problem was fixed with parameter checking. Please upgrade to version >= 5.6.11 (or >= 4.34.20 if you are using version 4).</p>

                <h4>Workaround</h4>
                <p>If you cannot upgrade, be sure to check or sanitize parameter strings that are passed to <span class="code">versions()</span> (string only)</p>
                <hr>
                <br>
                <h2>Command Injection Vulnerability</h2>
                <p><span class="bold">Affected versions:</span>
                  &lt; 5.6.4 and &lt; 4.34.17<br>
                  <span class="bold">Date:</span> 2021-03-15<br>
                  <span class="bold">CVE indentifier</span> CVE-2021-21388
                </p>

                <h4>Impact</h4>
                <p>We had an issue that there was a possibility to perform a potential command injection possibility by passing a manipulated string prototype as a parameter to the following functions. Affected commands: <span class="code">inetLatency()</span>, <span class="code">inetChecksite()</span>, <span class="code">services()</span>, <span class="code">processLoad()</span>.</p>

                <h4>Patch</h4>
                <p>Problem was fixed with additional parameter checking. Please upgrade to version >= 5.6.4 (or >= 4.34.17 if you are using version 4).</p>

                <h4>Workaround</h4>
                <p>If you cannot upgrade, be sure to check or sanitize parameter strings that are passed to <span class="code">inetLatency()</span>, <span class="code">inetChecksite()</span>, <span class="code">services()</span>, <span class="code">processLoad()</span> (string only)</p>
                <hr>
                <br>
                <h2>Insufficient File Scheme Validation</h2>
                <p><span class="bold">Affected versions:</span>
                  &lt; 5.3.2 and &lt; 4.34.12<br>
                  <span class="bold">Date:</span> 2021-02-15<br>
                  <span class="bold">CVE indentifier</span> -
                </p>

                <h4>Impact</h4>
                <p>We had an issue that there was a possibility to run inetChecksite against local files due to improper file scheme validation. Affected commands: <span class="code">inetLatency()</span>, <span class="code">inetChecksite()</span>.</p>

                <h4>Patch</h4>
                <p>Problem was fixed with additional parameter checking. Please upgrade to version >= 5.3.2 (or >= 4.34.12 if you are using version 4).</p>

                <h4>Workaround</h4>
                <p>If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to <span class="code">inetLatency()</span>, <span class="code">inetChecksite()</span> (sanitize `file://` parameter)</p>
                <hr>
                <br>
                <h2>Command Injection Vulnerability</h2>
                <p><span class="bold">Affected versions:</span>
                  &lt; 5.3.1 and &lt; 4.34.11<br>
                  <span class="bold">Date:</span> 2021-02-14<br>
                  <span class="bold">CVE indentifier</span> CVE-2021-21315
                </p>

                <h4>Impact</h4>
                <p>We had an issue that there was a possibility to perform a potential command injection possibility by passing a manipulated array as a parameter to the following functions. Affected commands: <span class="code">inetLatency()</span>, <span class="code">inetChecksite()</span>, <span class="code">services()</span>, <span class="code">processLoad()</span>.</p>

                <h4>Patch</h4>
                <p>Problem was fixed with additional parameter checking. Please upgrade to version >= 5.3.1 (or >= 4.34.11 if you are using version 4).</p>

                <h4>Workaround</h4>
                <p>If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to <span class="code">inetLatency()</span>, <span class="code">inetChecksite()</span>, <span class="code">services()</span>, <span class="code">processLoad()</span> (string only)</p>
                <hr>
                <br>
                <h2>DOS Injection Vulnerability</h2>
                <p><span class="bold">Affected versions:</span>
                  &lt; 5.2.6 and &lt; 4.34.10<br>
                  <span class="bold">Date:</span> 2021-02-12<br>
                  <span class="bold">CVE indentifier</span> -
                </p>

                <h4>Impact</h4>
                <p>Here we had an issue that there was a possibility to perform a ping command execution for too long time. Affected commands: <span class="code">inetLatency()</span>.</p>

                <h4>Patch</h4>
                <p>Problem was fixed with a shell string sanitation fix. Please upgrade to version >= 5.2.6 (or >= 4.34.10 if you are using version 4).</p>

                <h4>Workaround</h4>
                <p>If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to <span class="code">inetLatency()</span> (no spaces)</p>
                <hr>
                <br>
                <h2>Command Injection Vulnerability</h2>
                <p><span class="bold">Affected versions:</span>
                  &lt; 4.31.1<br>
                  <span class="bold">Date:</span> 2020-12-11<br>
                  <span class="bold">CVE indentifier</span> CVE-2020-26274, CVE-2020-28448
                </p>

                <h4>Impact</h4>
                <p>Here we had an issue that there was a possibility to inject commands to the command line of your machine via systeminformation. Affected commands: <span class="code">inetLatency()</span>.</p>

                <h4>Patch</h4>
                <p>Problem was fixed with a shell string sanitation fix. Please upgrade to version >= 4.31.1</p>

                <h4>Workaround</h4>
                <p>If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to <span class="code">inetLatency()</span></p>

                <hr>
                <br>
                <h2>Command Injection Vulnerability - Prototype Pollution</h2>
                <p><span class="bold">Affected versions:</span>
                  &lt; 4.30.5<br>
                  <span class="bold">Date:</span> 2020-11-26<br>
                  <span class="bold">CVE indentifier</span> CVE-2020-26245
                </p>

                <h4>Impact</h4>
                <p>Here we had an issue that there was a possibility to inject commands to the command line by property pollution on the string object. Affected commands: <span class="code">inetChecksite()</span>.</p>

                <h4>Patch</h4>
                <p>Problem was fixed with a shell string sanitation fix as well as handling prototype polution. Please upgrade to version >= 4.30.5</p>

                <h4>Workaround</h4>
                <p>If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to <span class="code">inetChecksite()</span></p>

                <hr>
                <br>
                <h2>Command Injection Vulnerability</h2>
                <p><span class="bold">Affected versions:</span>
                  &lt; 4.27.11<br>
                  <span class="bold">Date:</span> 2020-10-26<br>
                  <span class="bold">CVE indentifier</span> CVE-2020-7752
                </p>

                <h4>Impact</h4>
                <p>Here we had an issue that there was a possibility to inject commands to the command line of your machine via systeminformation. Affected commands: <span class="code">inetChecksite()</span>.</p>

                <h4>Patch</h4>
                <p>Problem was fixed with a shell string sanitation fix. Please upgrade to version >= 4.27.11</p>

                <h4>Workaround</h4>
                <p>If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to <span class="code">inetChecksite()</span></p>

              </div>
            </div>
          </div>
        </div>
      </div>
  </div>
  </section>
  </div>
  <footer class="container-fluid footer">
    <div class="container">
      <div class="row">
        <div class="col-lg-4 col-12">
          <ul class="list-unstyled">
            <li><a href="." class="medium home">Home</a></li>
            <li>&nbsp;</li>
            <li><a href="security.html">Security Advisories&nbsp;&nbsp;<i class="fas fa-shield-check"></i></a></li>
            <li><a href="https://github.com/sebhildebrandt/systeminformation">Github <i class="fab fa-github"></i></a></li>
            <li>&nbsp;</li>
            <li><a href="https://buymeacoff.ee/systeminfo" class="medium badge bg-primary"><i class="fas fa-coffee"></i>&nbsp;&nbsp;Buy me a coffee</a></li>
          </ul>
        </div>
        <div class="col-lg-4 col-12">
          <ul class="list-unstyled">
            <li><a href="gettingstarted.html">Quick Start</a></li>
            <li><a href="changes.html">Version 5 Changes</a></li>
            <li><a href="history.html">Full Version History</a></li>
            <li><a href="tests.html">Testing</a></li>
            <li><a href="issues.html">Known Issues</a></li>
            <li><a href="statsfunctions.html">Stats Functions</a></li>
          </ul>
        </div>
        <div class="col-lg-4 col-12">
          <ul class="list-unstyled">
            <li><a href="contributors.html">Contributors</a></li>
            <li><a href="trademarks.html">Trademarks</a></li>
            <li>&nbsp;</li>
            <li><a href="copyright.html">Copyright &amp; License&nbsp;&nbsp;<img src="https://img.shields.io/badge/license-MIT-blue.svg?style=flat-square" alt="MIT license" /></a></li>
            <li><a href="https://www.plus-innovations.com">&copy; 2025 Sebastian Hildebrandt</a></li>
            <li><a href="https://www.plus-innovations.com">+innovations GmbH</a></li>
          </ul>
        </div>
      </div>
    </div>
  </footer>

  <script>
    window.onload = function (e) {
      createMenu();
    }
  </script>
</body>

</html>
